Who Doesn’t Love IPv6 Today? Maybe the Security Guys?

Seeing as it's World IPv6 Day, everyone is emphasizing the hard work they're doing to help spread the world about the transition to must eventually become the internet's new protocol - to do otherwise would be to suggest unpreparedness and technological backwardness. And yet, moving to a new protocol has plenty of other ramifications beyond simply having enough addresses. Interoute's Mark Lewis offers up some straight talk about new security challenges in an IPv6 world:

It is security that could become the Achilles heel of the IPv6 switchover. In the IPv4 world, securing the LAN from cyber-attacks and intrusions is far easier. With multiple enterprise devices sharing a single IPv4 address, internet facing devices such as firewalls act as a single point of protection and control. Contrastingly, IPv6 is designed for a world where everything can speak to everything else. With IPv6 becoming ubiquitous, every PC, mobile phone, tablet, printer, vending machine, could potentially be an undercover agent inside the office, working to bring down the corporate network. For organisations, it could mean they are left wide open to attack given how many of those devices are portable and neither controlled by IT nor sitting inside IT-secured networks. Every device will need to be identified and protected, including every new phone, tablet and laptop, before it is allowed to engage with the corporate network, creating a significant headache for enterprise IT teams to solve.

If you consider each employee has on average three IP devices, as well as the myriad of infrastructure and personally owned devices in each office, the scale of this task is immense. We will have no choice but to migrate eventually, and those that deploy an effective security strategy early on will be best prepared for a smooth transition.

Yikes, I think I'll just go hide behind my IPv4 firewall now so some Chinese or eastern European criminal group can't hack into my personal data through a bug in my coffee maker's firmware. That said, maybe the security guys love IPv6 too considering the fact that demand for their services might blossom alongside the new protocol.

As for this website, I'm unable to put it on IPv6 just yet since I am unwilling to uproot the whole site and move it to a new provider that can provide me a dual stack configuration and a DNS server that can serve AAAA records. But as soon as Rackspace makes it possible, I intend to make the transition.

Join the Discussion!

4 Comments So Far

As exciting as the concept of nearly ubiquitous connectivity through IPv6 is, it certainly does require a pretty large paradigm shift in how we think about security.

The clearly defined “public” and “private” IPv4 networks of today will get blurred, if not entirely erased in the new IPv6 net.

Perimeter choke points mostly disappear unless artificially forced and thus the focus of security will have to be on the devices directly.

In a world enabled by the huge IPv6 space available, these devices could consist of anything from computing platforms (phones, computers, etc) all the way to internet enabled refrigerators and toasters. Anyone who does security will realize all of those devices will have their own vulnerabilities.

Securing the myriad of devices that will be likely to be unprotected by perimeter “walls” will indeed be an immense task.

We’ve had the benefit of being able to rely on these perimeters for quite a while. It will be a hard transition, but in the end, it will be for the better when the focus of security lies directly on the devices themselves where it really always has belonged.

Mark Newton of Internode gave a good talk about IPv6 security issues at May’s AusCERT 2011 conference, which I summarized at the link associated with my name on this comment (Global Crossing Defense in Depth Security blog).